io_uring/tctx: mark io_wq as exiting before error path teardown

syzbot reports that it's hitting the below condition for exiting an
io_wq context:

WARN_ON_ONCE(!test_bit(IO_WQ_BIT_EXIT, &wq->state))

in io_wq_put_and_exit(), which can be triggered with memory allocation
fault injection. Ensure that the io_wq is marked as exiting to silence
this warning trigger.

Reported-by: syzbot+79a4cc863a8db58cd92b@syzkaller.appspotmail.com
Fixes: 7880174e1e5e ("io_uring/tctx: clean up __io_uring_add_tctx_node() error handling")
Reviewed-by: Clément Léger <cleger@meta.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/tctx.c b/io_uring/tctx.c
index c011a593c0ad875b0a64c9ca5de797617c74e1a3..80366320276dd37947486cb7abce85dfcc1fdbe9 100644 (file)
--- a/io_uring/tctx.c
+++ b/io_uring/tctx.c
@@ -171,8 +171,10 @@ int __io_uring_add_tctx_node(struct io_ring_ctx *ctx)
        }
        if (!current->io_uring) {
 err_free:
-               if (tctx->io_wq)
+               if (tctx->io_wq) {
+                       io_wq_exit_start(tctx->io_wq);
                        io_wq_put_and_exit(tctx->io_wq);
+               }
                percpu_counter_destroy(&tctx->inflight);
                kfree(tctx);
        }